My system is Ubuntu, and ‘caddy’ is listening on port 1234
Here are the commands I typed to get the ‘cloudflare tunnel’ up and running.
sudo dpkg -i cloudflared-stable-linux-amd64.deb # installs the program
cd ~/.cloudflared/
cloudflared tunnel login # one-time authorization
cloudflared tunnel create photos # create your tunnel and give it a name
cloudflared tunnel route dns photos photos.mydomain.com # adds the dns entry.
I would welcome some help with my next step, which is SSL… I know nothing about this topic, other than I probably should be using SSL with photostructure…
Cloudflare supports letsencrypt certs, but getting the letsencrypt certbot to renew isn’t trivial (especially compared to caddy without a cloudflare proxy in the way).
I’m certainly not an SSL or Cloudflare expert: but I’d assume that as long as Cloudflare is exposing your site with a high quality certificate, the certificate you present to Cloudflare shouldn’t matter.
My interest in cloudflare is the tunnel – no need to open ports here. It is possible to turn off their proxy – change the orange flag to grey – and still use the tunnel and also run a script to update the dns when your ip changes.
But I will likely just wait for your official recommendations for sharing a self-hosted photostructure. Until then we are excited to just use photostructure while at home.
I use cloudflare with my photostructure instance and i’ll explain what i do.
I use cloudflare tunnel which by itself securely presents photostructure to my domain.
Using cloudflare flexible ssl works perfectly, as the data is already encrypted between the server and cloudflare
I then use cloudflare access which prevents all attempts at accessing the domain with a login page, this means that no contact with your server is allowed until, you are signed in.
All this requires no editing of anything locally, apart from the cloudflare tunnel.
I do similar to @Saxo_Broko in that I have a Traefik container reverse proxying all of my docker containers, including PhotoStructure. I also have two helper containers that keep my CNAME entries up to date, and my IP up to date, within cloudflare (cf companion and cf ddns) so that my subdomain for PhotoStructure (among others) always lands me in the correct place.
Traefik handles the Caddy/Nginx piece of reverse proxy as well as automatically keeping LetsEncrypt certs up to date.
Thanks guys for your insights in using the cloudflare tunnel – may I ask – what/which sort of cloudflare accounts are you using, and what about authorization?
I’d like, for example, to be able to send a link, via text, to some specific photo. Without having to do any setup on their end? maybe a one-time-password?
At the moment I am just using the free account at cloudflare.
Thanks guys for your insights in using the cloudflare tunnel – may I ask – what/which sort of cloudflare accounts are you using – free account or paid?
I just set this up yesterday. I was already hosting DNS for my domain with them (free). I setup a cloudflared
container on my unraid to point to my traefik reverse proxy. This video was a great step by step to do this. (also free)
Then I took it a step further, and setup cloudflare access with a Google as the authenticator, so all my apps are secured by my google account. (this too is free!) I didn’t follow a guide, but it’s pretty intuitive and cloudflare itself walks you through all the steps to setup the authenticator.
So, let me see if I understand – just by itself, the tunnel will provide encryption between cloudflare and any/all services provided at the self-hosted end of the tunnel.
And the ‘Flexible SSL’ from cloudflare, will provide encryption between a visitor’s web browser and cloudflare.
In addition, assuming that everyone is willing to share the same google login/credentials, you can use the cloudflare ‘access’ to authenticate visitors to your photostructure server.
It doesnt seem necessary to use Let’s Encrypt for anything…
thank you for any further suggestions/corrections,
You don’t need to share google credentials. You can have up to 50 users on cloudflare’s Access free tier. So that’s up to 50 distinct email addresses that you can grant access to. More than enough for most families…
You’re also not limited to google as an identity/email provider. Heck, you don’t even need an identity provider at all, you can use the “one-time pin” option that will email a pin each time someone logs in.
So I need to read up on cloudflare ‘access’ – I didn’t realize that visitors could have their own credentials, and yet share a common resource like a photostructure web site. thanks.
I like the idea a lot, but is there maybe a more informative walkthrough for the uninitiated to reverse proxies?
I installed Caddy, followed the photostructure steps to configure but I’m left with a few questions for @bvwelch
How did you test it? Did you do some port forwarding? Did you visit :2019? 2019 seems to be some default port, I’m still using 1787 for PS though. Should I be able to “see” the RP somehow working on my internet network?
My goal is to setup a domain (say jimbobsphotos.com) and point that to Cloudflares DNS servers and then that will talk with my local PS server without any port forwarding on my part via a tunnel. Am I getting the gist here?
Why do we need caddy at all? RPs are usually used to protect the internal webserver from being directly exposed to the internet IIRC, so are we using this for rudimentary authentication and TLS?
The only reason to use a reverse proxy like caddy or Traefik is to either provide SSL (https) and/or add authentication which would be absolutely required if you were exposing photostructure through your firewall (i.e. port forwarding).
But since cloudflared essentially works like a VPN tunnel, and you can encrypt and secure through cloudflare access, then it’s strictly not necessary to implement a reverse proxy. I kept mine (Traefik) in place because I had already set it up and I like the idea of the traffic inside my network to also be encrypted.
I am trying to setup remote access with caddy and cloudflared “gizmo”. Photostructure host is behind NAT and I am getting dynamic IPs from my ISP. I opened account with Cloudflare, changed some records on my domain registrar (1&1) to point to Cloudflare DNS. I don’t have website on that domain hosted anywhere, I just have domain name. Now, how do I “tell” Cloudflare to point traffic directed to my domain to the IP behind my router? I assume this is done via Cloudflare tunnel, but I can’t figure it out. It also should go around router’s firewall, as I am not supposed to open any ports on the router to allow tunnel to work…
